Cybersecurity leaders agree that they must engage with the board at their organizations to do their jobs. In reality, board engagement lags, and that disconnect drags down CISOs’ job satisfaction.
Nearly half of CISOs (40%) at small and mid-market organizations have minimal or no access to full boards, according to the 2025 Compensation and Budget for CISOs in the Small and Middle Market report from IANS and Artico Search. Among CISOs who lack the ability to interact with their boards, half report being dissatisfied with their jobs. Just 8% of CISOs who have quarterly board access express job satisfaction, according to the report.
“In some companies, the CISO is a bottom-up job and somebody who gets blamed but doesn’t have the purview and the access that they really need to do their job,” says Marty Barrack, CISO, chief legal officer and compliance officer at XiFin and ISACA member. “If you’re going to do your job as a CISO, you need board access.”
CISOs must consider what a disconnect from their boards means for their ability to execute and how to build fruitful relationships with the board when they do have that coveted access.
Lack of board access leads to job dissatisfaction
CISOs who don’t get access to the board are often buried within their organizations. “There are a lot of companies that will hire at a director level or even a senior manager level and call it a CISO. But they don’t have the authority and scope to actually be able to execute what a CISO does,” says Nick Kathmann, CISO at LogicGate.
Instead of reporting directly to the board or CEO, these CISOs will report to a CIO, CTO or other executive, despite the problems that can arise in this type of reporting structure. CIOs and CTOs are often tasked with implementing new technology. The CISO’s job is to identity risks and ensure the organization is secure.
“If the CIO doesn’t like those risks or doesn’t want to do anything to fix those risks, they’ll essentially suppress them [CISOs] as much as they can,” says Kathmann.
CISOs often end up shouldering the brunt of the blame when a security incident happens, despite never having had the opportunity to communicate risk to the board and secure adequate buy-in to manage that risk. That scenario quickly leads to frustration and job dissatisfaction.
Barrack is an active member of the CISO community. He often hears these frustrations from peers he connects with through the San Diego chapter of ISACA. “The typical CISO that I interact with is not very satisfied and not properly empowered to succeed in their job,” he says.
CISOs’ frustrations are reflected in their frequently short tenures. A 2023 report from Cybersecurity Ventures found that CISOs last an average of 18 to 26 months. “I’ve seen more CISOs leave their position over the last two years and not return. They’re moving on and doing other things,” says George Gerchow, chief security officer at Bedrock Security and faculty advisor at IANS.
Gerchow has experienced firsthand the frustrations of a less than ideal reporting structure. Initially, he was reporting to the right places, but organizational changes upended those communication channels. He was rarely communicating one-on-one with his boss, and the board was paying much less attention to him. “I felt like I had a wall between us, and then, my team started suffering. And I started seeing them leaving the company. I couldn’t talk them into staying very much. I probably waited too long, but I pulled the plug,” Gerchow shares.
Coming into his current role with Bedrock Security, Gerchow made board reporting nonnegotiable. “In my contract, it says I must report to the CEO or the board,” he says.
Building a relationship with the board
The CISO Executive Network is a peer-to-peer organization for information security professionals with more than 1,500 members. Andy Land, general manager of the organization, is seeing most of those members working with solid access to their boards. “But the question is, are we fundamentally doing anything good with that access?” he asks.
Getting in front of the board is one thing. Effectively communicating cybersecurity needs and getting them met is another. It starts with forming relationships with C-suite peers. Whether CISOs are still reporting up to another executive or not, they need to understand their peers’ priorities and how cybersecurity can mesh with those.
“The CISO job is an executive job. As an executive, you rely completely on your peer relationships. You can’t do anything as an executive in a vacuum,” says Barrack.
Working in collaboration, rather than contention, with other executives can prepare CISOs to make the most of their time in front of the board.
Once they have the board’s attention, they have to keep it. And that means leaning into business leadership rather than the technical know-how that might have helped them land the CISO job in the first place. Different board members have different areas of expertise, but their focus will be largely, and at a high-level, on the company’s financial success. Talk of CVEs and the latest ransomware gang is likely to do little to motivate board members.
“You will lose credibility, and it will be very hard for you to get it back because most boards and most executives are very judgmental,” says Barrack. “They make very quick decisions about your level of capability.”
CISOs who spend time learning how the different aspects of a business work and what its board members care about are going to find a more receptive audience. “If you come into a board made-up of all sales people and you start talking about pipeline loss and revenue loss and customer churn as it relates to cyber risk, you’re going to get their attention,” says Kathmann.
The CISO role is still a relatively new one. Cybersecurity is gaining more attention, but the issue of board reporting remains a common frustration. For CISOs who don’t feel that their peers and their boards are empowering them to do their jobs, it may be time to reevaluate their approach to communication and long-term outlook with the organization.
“If you’re not getting that support from the board, it may be time to start looking for a new opportunity,” says Bill Sieglein, founder of CISO Executive Network. “One of two things has happened: you’re poorly communicating, or they don’t support you.”
No Responses